ThinkCyber | Half of employees afraid to report security mistakes

ThinkCyber

Respondents to a recent ThinkCyber Security Ltd survey showed that over half of cyber professionals would not feel free from repercussions if they reported a mistake within their organisation.

In addition, the survey – which revealed the attitudes towards security awareness training, were asked what security behaviours caused the most concern at their organisation. The top results were:

  • Clicking on links in emails (53%)
  • Sharing corporate data outside of the business (53%)
  • Sharing of usernames and passwords (51%)

The study also showed that a quarter of cybersecurity professionals doubt their colleagues do change their behaviour with current security awareness training, and 60% admitted they only get training once every few months or even just once a year.

As threats grow more sophisticated and frequent, it’s essential to provide regular and consistent training to stay effective. If training doesn’t keep up with the latest threats, organisations will be left vulnerable and stuck in the past.

“Security awareness training is most effectively delivered in the moment when it can be directly contextualised by the recipient. This approach not only enhances comprehension by linking awareness to an immediate and relevant situation but also serves as a proactive nudge towards safe behaviour.” Said Tim Ward, CEO at ThinkCyber. “By intervening at the precise moment when a risky action is about to be taken, individuals are more likely to understand the specific dangers and consequences associated with their actions.

“This timely intervention ensures that the lesson is not abstract or theoretical but grounded in a real-world context, making it more impactful. Therefore, the individual is informed about potential risks and guided towards making safer choices before any harm can occur, significantly mitigating the chances of a security breach or incident.”

Organisations must also measure and track the progress of their security awareness programmes to determine effectiveness and make changes where necessary. When respondents were asked whether the business had a way to identify the user groups who are carrying out these behaviours, almost half (49%) said that they did not for all behaviours causing concern. 

Other findings from the survey included:

  • 42% of respondents felt that their organisation could not even somewhat prove whether their current security awareness training is changing risky behaviours. For those who felt that their business could somewhat prove a change in risky behaviours, further research would be required to determine if this comes in the form of phishing test click rates which can be highly variable.
  • When asked whether they felt like security awareness training is a priority shared across the business, 51% said they thought most people across the business were focused on security, whereas 39% said they felt only the executives and security teams were focused on it. 

When numerous security experts confess that their organisation’s security awareness training isn’t cutting it, it’s a huge red flag that something’s amiss and it’s time to re-evaluate.

Ward adds, “Cybersecurity should be a concern for everyone, so pinpointing which user groups need extra help with safe practices is crucial for any business. A training programme that’s flexible and enjoyable can make all the difference, boosting staff engagement and giving cyber professionals greater confidence in their team’s ability to make smart security decisions.”

Top 3 ways to make Security Awareness Training work

  • Deliver ongoing training– Annual training isn’t enough.Security awareness training should be provided to employees on a regular basis. This will help to maintain awareness, keep employees up to date with the latest cybersecurity threats.
  • Drip-feed content –When respondents were asked how they like to receive security awareness training, 70% said they want to keep their knowledge fresh, and that little and often works for them. Delivering the content of your security awareness programme in small, bite-size segments, not only helps to maximise engagement level amongst staff but also helps to reinforce ongoing awareness and learning outcomes.  
  • Measure engagement levels and progress – Measure behavioural impact as well as engagement – measuring engagement levels offers a leading indicator of progress, but behavioural impact shows the effectiveness of the programme in reducing risk as well as highlighting user groups that display risky behaviour.
Methodology

Independent researchers on behalf of ThinkCyber surveyed 163 cybersecurity professionals, including CISOs/CIOs, Senior Cybersecurity Managers and IT decision makers, at Infosecurity Europe, held in London, between 4th and 6th June 2024.

To read more Eskenzi news, click here.

Share
Tweet
Post

Related posts

Scroll to Top